California Adopted a GDPR-like Privacy Law: What Does It Mean for You?

Organizations worldwide are already feeling the impact of the General Data Protection Regulation (GDPR) that went into effect in the European Union on May 25, 2018. As a result of that and other regulations as well as recent privacy related-events, data privacy and security issues remain top-of-mind concerns for businesses and consumers. Now, California has upped the ante with the passage of the California Consumer Privacy Act of 2018 (CCPA), a trailblazing privacy law that will take effect January 1, 2020.

The CCPA requires all businesses with customers in California to disclose personal information they store, the purpose of storing that information, and with whom that information is shared or to whom sold. Organizations should immediately review their data handling and collection practices to determine how this law will affect them and implement controls, as needed, to mitigate the associated risk.

Every affected organization is likely to require new customer data strategies depending upon business constraints and technical limitations. One challenge for many organizations is going to be making sure they will be able to respond to consumer privacy requests in a timely manner. Many companies are not currently in a position to respond effectively to these types of requests and will require significant new data inventory and management processes.

Privacy laws such as CCPA and GDPR continue to reinforce the theme from government and regulatory authorities that protecting consumers and promoting responsible innovation are of the utmost importance.

Although all U.S. states and territories have laws on the books governing the reporting of data breaches, California is among several states that are taking data privacy to the next level, with GDPR-like consumer data privacy protections.

Vermont, for example, in May, passed legislation to regulate data brokers. The law, which goes into effect on January 1, 2019, requires data brokers to register with the Vermont Attorney General; file annual data privacy practice and breach reports; and develop, implement and maintain a comprehensive written information security program with administrative, technical and physical safeguards. Other states that have recently introduced or passed tougher consumer data provisions include Alabama, Arizona, Colorado, Iowa, Louisiana, Nebraska, Oregon, South Carolina, North Dakota and Virginia.

A significant number of organizations are not fully aware of the data they are collecting, where it is stored or how it is shared. In addition, many organizations mishandle the response activity, often failing compliance audits and/or experiencing fallout from a breach.

For these reasons, despite having an 18-month window, most organizations can benefit from performing an initial assessment now to determine if they are currently in compliance with the new California law and identify gaps to address. If the GDPR provides any lessons learned, it is that organizations typically require 12 to 18 months to meet these types of requirements and develop sustainable processes for compliance.

For more details on the new law and steps businesses can take to prepare, you can read the Protiviti analysis here.